From there, he made over $70,000 worth of purchases without his victims knowing, taking extra care to avoid detection by connecting to the Internet through tethering on his mobile phone via prepaid SIM cards.

Lim Jun Quan had no regard for the law - he did all this while on probation, having been earlier convicted of similar offences under the Computer Misuse and Cybersecurity Act.

Even when he was arrested again for fresh offences and released on bail, he continued his criminal ways.

He is the first person to be convicted for using hacking to commit financial crime here.

In January 2014, Lim, who was then serving his national service, was sentenced to 18 months' probation for illegally accessing people's PayPal accounts, the court heard.

Instead of learning his lesson, Lim broke the law again just a month later, after researching about hacking tools online.

First, he downloaded one such program - which cannot be named due to a gag order to prevent copycats - and used it to extract information from a local website.

The stolen database of information contained the usernames and passwords of people who had accounts with the site.

Lim tried these username-password combinations on online transaction sites such as Groupon, PayPal or Qoo10 and gained access to 18 of them.

Between February and June 2014, he used the 18 accounts to make purchases worth about $48,320.

After receiving reports from several users that their accounts had been hacked, police found that the items, such as Samsung mobile phones and Bottega Veneta wallets, had all been delivered to an address in Choa Chu Kang - the home of Lim's friend, Gabriel Tan Li Qun.

It turned out that Lim was in cahoots with Tan and another friend, Leong Jia Hao, who were helping him receive the stolen goods and selling them off.

Lim was arrested on June 21, 2014, but he continued re-offending until he was finally jailed yesterday. His accomplices, Tan and Leong, both now 20, were sentenced earlier to 27 months' probation each.

Experts: He used common hacking tool

He may have hacked into multiple websites, but what serial hacker Lim Jun Quan used was a common hacking tool, cybersecurity experts told The New Paper yesterday.

Structured Query Language (SQL) injections, used by Lim, are one of the most prevalent and dangerous forms of web attacks, said Associate Professor Hugh Anderson from the National University of Singapore (NUS) School of Computing.

Prof Anderson said that this method of gaining sensitive data is so easily accessible that any technologically-adept youngster at age 12 and above would be able to do it.

"It is not a highly technical thing that (Lim) has done and anyone could have done it," he said, before sharing information that we cannot publish as it might be used by copycats.

Mr David Freer, vice-president of Intel Security's Asia-Pacific consumer division, said: "It is an attack whereby an attacker can execute malicious SQL commands to take control of a web application's database server."

This is especially dangerous since web applications use a back-end database to store critical personal information like usernames, passwords and credit card numbers.

"As the digital revolution brings more devices online, the frequency of attacks will continue to increase and grow in sophistication," he said.

Mr David Maciejak, Fortinet's head of FortiGuard Lion Asia-Pacific research and development team, , said that in such attacks, the onus is on businesses to keep their customers safe.

"The only way to have a proper level of security is for the website to deploy two-factor authentication (2FA).

"SMS-based 2FA is relatively easy to deploy, and is still safer than purely using a password for authentication," he said. - Annabelle Zhang